Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

SAP Security Notes September 2014 – Review

SAP released its monthly critical patch update for September 2014 which closes a number of vulnerabilities in SAP products. Most of them are Missing Authorization Check vulnerabilities.

The most critical issues

Our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. The companies that provide SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 1908631: SAP Payroll for Non-Profit-Organisationen has a Code Injection vulnerability. An attacker can inject and run their own code, obtain the additional information that should not be displayed, modify or delete any data, modify the output of the system, create new users with higher privileges, control the behavior of the system, potentially escalate privileges by executing malicious code, or even perform a DoS attack. It is recommended to install this SAP Security Note to prevent risks.
  • 2039905: SAP Business Objects has a Missing Authorization check. An attacker can use this vulnerability to get the access to a service without any authorization procedures to use the service functionality that has a restricted access. This can lead to the information disclosure, the privilege escalation, and other attacks.
  • 1979454: SAP UI services has a missing authorization check. An attacker can use this vulnerability to get the access to a service without any authorization procedures to use the service functionality that has a restricted access. This can lead to the information disclosure, the privilege escalation, and other attacks.

It is highly recommended to patch all those issues to prevent business risks.

Checks for the issues are already available in ERPScan Security Monitoring Suite.

Do you want more?

Subscribe me to your mailing list